[squid-users] FTP relay with active client is broken?

Alex Rousskov rousskov at measurement-factory.com
Wed Feb 8 16:11:32 UTC 2017

On 02/08/2017 06:10 AM, Alex wrote:

> I've specified
> 'ftp_port 2121 intercept' and made squid intercept outgoing FTP
> traffic according to the following rules:

> iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner squid -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDIRECT --to-port 2121

> 07.02.2017, 16:23, "Alex" <gozzy at yandex.ru>:

>> I thought that active mode will cause less problems, but it seems
>> that what squid tries to do is illegal. As far as I understand, in
>> active mode squid tries to connect to a client and spoofs source IP
>> address.

Since spoofing client IP addresses is common for many working Squid
interception setups doing HTTP, it has to be technically possible (i.e.,
"legal" in your terminology). Unfortunately, I do not know enough
low-level details to guide you further. Most likely, the FTP-specific
Squid code facilitating IP spoofing is buggy or you are doing something
wrong (or both).

FWIW, IIRC, FTP interception code has worked for many folks.

Let's hope that somebody with a working FTP interception setup speaks up.


More information about the squid-users mailing list